Earlier this year, eight US firms were breached by account takeover (ATO) attacks, exposing the personal information of thousands of clients and customers. Organizations being breached via ATO is nothing new – the significant thing to note about these cases was the hard-line approach the U.S. Securities and Exchange Commission (SEC) took in response.
The SEC decided that these eight firms had failed in their cybersecurity policies and procedures and concluded that the attacks could (and should) have been prevented. In the past, the SEC hasn’t routinely pursued sanctions against companies that disclose their incidents. However, they proceeded to fine all eight firms.
Does this suggest a hardening of the SEC’s stance on cybersecurity going forward? If this is the case, it makes defending against advanced phishing attacks such as ATO even more pressing for US businesses.
How does ATO work?
Account takeover (ATO) is a form of identity theft where cybercriminals send emails from a legitimate business account. First, they get hold of login credentials for the email account, usually through a targeted spear phishing attack.
Then by pretending to be the owner of the compromised account, the scammer targets employees or vendors within the supply chain with fraudulent emails. They might pressure colleagues or clients into wiring money or supplying confidential information.
Account takeover has the potential to be immensely profitable for hackers – especially if an executive account, such as the CEO’s, can be compromised. By sending an email from a legitimate email account within the business, impostors know that traditional anti-phishing software won't flag their activity as suspicious.
What were the recent fines for?
Five of the firms involved were referred to as ‘the Cetera entities’. Between November 2017 and June 2020, over 60 of their internal cloud-based email addresses had been taken over by unauthorized third parties. This led to the personal information of over 4,000 customers and clients being exposed. The SEC ruled that the email accounts weren’t protected in line with Cetera’s own policies, and that they took too long to notify their clients of the issue.
Another two companies referred to jointly as ‘Cambridge’ also suffered an ATO attack. Over 121 of their cloud-based email accounts were compromised between January 2018 and July 2021, exposing the personal information of over 2,000 customers and clients. The SEC were critical of Cambridge failing to adopt enhanced security measures for cloud-based email until 2021 – despite the first ATO attack taking place back in 2018.
The story was similar with the firm KMS. 15 of their financial advisors had their email accounts compromised between September 2018 and December 2019, resulting in around 4,900 customers and clients having their data exposed. The SEC's order found that KMS had failed to adopt written cybersecurity policies and procedures until mid-2020, leaving additional customer records at risk.
The Cetera entities were ordered to pay a $300,000 penalty, Cambridge was fined $250,000, and KMS will have to pay $200,000.
More fines to follow?
Companies have always had to have proper controls in place for disclosing information to regulators. Historically though, there have been few regulatory fines from the SEC for companies that suffered cyberattacks. However, these recent fines should serve as a warning for businesses who aren’t on top of their cybersecurity procedures.
The fines described above (among others from the SEC during 2021) suggest the SEC will be taking a no-nonsense approach going forward. The SEC’s new chair Gary Gensler appears keen to leave a mark as a tough regulator – and this is being clearly seen in cybersecurity. They’re paying close attention to how effective cybersecurity policies are and whether they’re being followed. Especially when personal information has been put at risk.
A quote from Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit, summarized the SEC’s position when speaking about a recent case: "Investment advisers and broker dealers must fulfil their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."
This stance is a reflection on the importance of cybersecurity in the US right now, and an acknowledgment of the risk posed by cyberattacks.
How can companies protect themselves?
There are lessons that can be taken from the recent fines explored in this article. The SEC takes a dim view of businesses that take too long to disclose incidents, especially if it means leaving exposed clients and customers in the dark. Cases in 2021 have also shown that it’s not enough to have written cybersecurity policies and procedures – there needs to be evidence that they have been followed in a timely manner.
And of course, the best way to avoid the wrath of the SEC is to prevent cybersecurity breaches in the first place. Sophisticated attacks such as account takeover almost always start with spear phishing to farm the login credentials of the target email account(s).
Traditional anti-phishing filters are unable to detect cybercriminals' sophisticated spear phishing scams, so phishing emails can easily enter your organization undetected. Intelligent anti-phishing solutions, such as Egress Defend, have a unique advantage. Defend takes a zero-trust approach to all inbound emails, and uses machine learning and natural language processing to detect even the most targeted and advanced phishing attacks.
That means it will alert employees to the complex and context-driven phishing attacks that lead to ATO in real time.
Interested in preventing ATO and protecting your business from SEC fines? Learn more about Egress Defend here.